Russian-Speaking APTs Turla and Sofacy Share Malware Delivery Scheme, Select Targets in Asia

New findings presented at Virus Bulletin 2018 show aspects of Turla
beginning to overlap with Sofacy

researchers monitoring the various clusters of the long-standing
Russian-speaking threat actor, Turla (also known as Snake or Uroburos),
have discovered that the most recent evolution of its KopiLuwak malware
is delivered to victims using code nearly identical to that used just a
month earlier by the Zebrocy operation, a subset of Sofacy (also known
as Fancy Bear and APT28), another long-standing Russia-speaking threat
actor. The researchers also found target overlap between the two threat
actors, centered on geopolitical hotspots in central Asia, as well as
sensitive government and military entities.

The findings are included in an overview of the
latest evolution and activity of four active clusters attributed to the
Turla threat actor
, presented today at Virus
Bulletin 2018
by members of the Kaspersky Lab Global Research and
Analysis Team.

KopiLuwak (the name derives from a rare type of coffee) was first
discovered in November 2016, delivering documents containing malware and
with macros enabled that dropped new, heavily obfuscated Javascript
malware designed for system and network reconnaissance. The most recent
evolution of KopiLuwak was observed in mid-2018, when researchers
noticed new targets in Syria and Afghanistan. Turla used a new
spear-phishing delivery vector with Windows shortcut (.LNK) files.
Analysis showed that the LNK file contained PowerShell to decode and
drop the KopiLuwak payload. This PowerShell was almost identical to that
used in Zebrocy activity a month earlier.

The researchers also found some targeting overlap between the two threat
actors, focused on sensitive political targets, including government
research and security entities, diplomatic missions and military
affairs, mainly in central Asia.

Other Turla malware clusters tracked by the researchers during 2018
include those known as Carbon and Mosquito.

In their overview, the researchers provide further evidence to support
the hypothesis that Wi-Fi networks were abused by Turla to deliver
Mosquito malware to victims, a practice that may be tapering off. They
also found further modification of the mature and powerful Carbon
cyberespionage framework, which has traditionally been installed only
very selectively on victims of particular interest, and the researchers
expect to see further code modifications and selective deployment of
this malware into 2019. The 2018 targets for the Turla malware clusters
include the Middle East and Northern Africa, as well as parts of Western
and Eastern Europe, Central and South Asia and the Americas.

“Turla is one of the oldest, most enduring and capable known threat
actors, renowned for constantly shedding its skin and trying out new
innovations and approaches,” said Kurt Baumgartner, principal security
researcher, Kaspersky Lab GReAT. “Our research into its main malware
clusters during 2018 shows that it continues to regrow and experiment.
However, it is worth noting that while other Russia-speaking threat
actors like CozyDuke (APT29) and Sofacy were targeting organizations in
the west, such as allegedly hacking the Democratic National Committee in
2016, Turla was quietly deploying its operations towards the east, where
their activity and, more recently, even their delivery techniques began
to overlap with Sofacy’s Zebrocy subset. Our research suggests Turla’s
code development and implementation is ongoing, and organizations that
believe they could be a target should prepare for this.”

To reduce the risk of falling victim to advanced targeted attack
operations, Kaspersky Lab recommends organizations consider the
following actions:

  • Use a proven corporate grade security solution in combination with
    anti-targeted attack technologies and threat intelligence, like the Kaspersky
    Threat Management and Defense
    solution. These are capable of
    spotting and catching advanced targeted attacks by analyzing network
    anomalies, and give cybersecurity teams full visibility over the
    network and response automation.
  • Provide security staff with access to the latest threat intelligence
    data, which will arm them with helpful tools for targeted attack
    research and prevention, such as indicators of compromise (IOC), YARA
    and customized advanced threat reporting.
  • Ensure enterprise grade patch management processes are well
    established and double check all system configurations and implement
    best practices.
  • If you spot early indicators of a targeted attack, consider managed
    protection services that will allow you to proactively detect advanced
    threats, reduce dwell time and arrange timely incident response.

For further details of 2018 Turla activity, read the blog on Securelist.
Private reports on the latest activity of the various Turla clusters are
available to customers of Kaspersky
Intelligence Reporting
. Contact intelreports@kaspersky.com
for more information.

About Kaspersky Lab
Kaspersky Lab is a global cybersecurity
company, which has been operating in the market for over 20 years.
Kaspersky Lab’s deep threat intelligence and security expertise is
constantly transforming into next generation security solutions and
services to protect businesses, critical infrastructure, governments and
consumers around the globe. The company’s comprehensive security
portfolio includes leading endpoint protection and a number of
specialized security solutions and services to fight sophisticated and
evolving digital threats. Over 400 million users are protected by
Kaspersky Lab technologies and we help 270,000 corporate clients protect
what matters most to them. Learn more at www.kaspersky.com.


Kaspersky Lab
Jessica Bettencourt, 781-503-7851


I have been involved with publishing and marketing for the past 32 years. My passion is helping people share their voice. I am able to do this through two important venues: One, with Area-Info.net where people can share everything from opinions to events to news. It is your choice! What do you want to share? Two, through a new program called America's Real Deal I am involved with to help business owners get their voice heard.I schedule speaking engagements with community groups and business groups to share my passion about the importance of "sharing your voice".Contact me directly at lee@leeeverton.com for scheduling information.